Exam PCNSA topic 1 question 81 discussion

C & D are Correct. - https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812 ---Deals with 100K limit - https://docs.paloaltonetworks.com/threat-prevention ---Deals with DNS Security feature and how to buy and activate it.

According to PCNSA Study guide of PanOS 11 (Jan 2023 version) Pag 96: "Licenses are activated from the Palo Alto Networks Customer Support Portal and must be active before DNS analysis can take place" So, that's exclude A and make correct the second statement of C; also the first statement seems correct. For what concerning D, I think it is not correct. From https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures "Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures"; this means that the limit for DNS downloaded from DNS updates is the same since it is hard-coded even after its activation. Infact, as answer B says, It is a system that resolve the limitation by eliminating the need for dynamic DNS updates. D would have been correct if they had substituted the word "removes" with "resolves".

As per mirko's explanation

C. It functions like PAN-DB and requires activation through the app portal. The DNS Security service is a cloud-based service similar to PAN-DB in its operation and requires activation through the Palo Alto Networks application portal. D. It removes the 100K limit for DNS entries for the downloaded DNS updates. Traditional DNS updates have a limit of 100,000 entries. The DNS Security service removes this limitation by using cloud-based dynamic lookups instead of relying solely on static database entries. B is not correct B. It eliminates the need for dynamic DNS updates. This statement is incorrect as dynamic updates are still necessary for DNS Security to provide real-time protection against threats

see links by Cyril

B. It eliminates the need for dynamic DNS updates. C. It functions like PAN-DB and requires activation through the app portal

C. It functions like PAN-DB and requires activation through the app portal. Similar to other Palo Alto Networks security services like PAN-DB, the DNS Security service needs to be activated through the app portal. This activation ensures that the service is properly set up and configured to start protecting against DNS-based threats. D. It removes the 100K limit for DNS entries for the downloaded DNS updates. One of the enhancements provided by the DNS Security service is that it removes the previous limitation of 100,000 DNS entries. This allows for a more comprehensive and extensive database of DNS signatures and threat intelligence to be used for detecting and preventing DNS-based threats.

Agree with drogadot, A.Nope, It’s not auto enabled and configured and requires activation through the app portal B.Yup, Because it leverages the data in the cloud so you don’t need to download it locally C.Yup, see A & B D.Nope, the local database hard coded limit of 100k did not magically disappear, it’s still there, you will just not get limited by it because you are referencing/using a cloud based database.

BC for same reasons as said drogadotcom

According to this: https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures

Correctly answer should be B & C D is incorrect. the downloaded DNS updates still have 100k limitation hardcoded, the new DNS security cloud service doesn't "remove" the 100K limit for DNS entries for the downloaded DNS updates. https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812 "New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures. " https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures ”downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures“

B D is answer

C&D are correct

B, D are correct

According to this article: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures 1) Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures and do not include signatures generated through advanced analysis. So D is correct. 2) To better accommodate the influx of new DNS signatures being produced on a daily basis, the cloud-based signature database provides users with instant access to newly added DNS signatures without the need to download updates. So B is correct. It eliminates the need for dynamic DNS updates.

B - There's no downloaded signature anymore, all the queries occur in real time accessing Palo Alto cloud services. D - As no downloaded signatures are needed, it removes the 100k limitation.

C&D A: incorrect, you need to attach an anti-spyware profile to the rule that has this feature enabled. B: incorrect, dynamic DNS serves a whole other purpose, has nothing to do with DNS lookups (https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/dynamic-dns-nfg.html) C: correct, they are probably referring to the additional license you have to acquire, similar to the URL filtering license. D: correct, DNS security aims to provide a better alternative for the DNS signature downloads, by making it cloud-based, thus eliminating the need for downloading the DNS database locally (which apparently is limited to 100k entries)